ExternalVendorCode/heads
1
0
Fork 0
mirror of https://github.com/linuxboot/heads.git synced 2025-01-30 16:14:01 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

try creating NVRAM entry before prompting for owner password (issue #151)

Browse Source
This commit is contained in:
Trammell Hudson 2017-04-12 06:53:54 -04:00
parent fa8c3abe98
commit 6a734208b0
Failed to extract signature
1 changed files with 46 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
initrd/bin/seal-key
View File

@ -5,16 +5,12 @@
TPM_INDEX=3 TPM_INDEX=3
TPM_SIZE=312 TPM_SIZE=312
KEY_FILE=/tmp/secret.key KEY_FILE="/tmp/secret/secret.key"
TPM_SEALED="/tmp/secret/secret.sealed"
RECOVERY_KEY="/tmp/secret/recovery.key"
. /config . /etc/functions
. /etc/config
die() {
echo >&2 "$@";
rm -f /tmp/secret.key /tmp/recovery.key /tmp/sealed
exit 1;
}
warn() { echo >&2 "$@"; }
# Activate the LVM volume group # Activate the LVM volume group
VOLUME_GROUP=qubes_dom0 VOLUME_GROUP=qubes_dom0
@ -25,21 +21,21 @@ lvm vgchange -a y $VOLUME_GROUP \
# that they user entered when they installed Qubes, # that they user entered when they installed Qubes,
# key slot 1 is the one that we've generated. # key slot 1 is the one that we've generated.
read -s -p "Enter disk recovery key: " disk_password read -s -p "Enter disk recovery key: " disk_password
echo -n "$disk_password" > /tmp/recovery.key echo -n "$disk_password" > "$RECOVERY_KEY"
echo echo
# Remove all the old keys from slot 1 # Remove all the old keys from slot 1
for dev in /dev/$VOLUME_GROUP/*; do for dev in /dev/$VOLUME_GROUP/*; do
echo "++++++ $dev: Removing old key slot" echo "++++++ $dev: Removing old key slot"
cryptsetup luksKillSlot \ cryptsetup luksKillSlot \
--key-file /tmp/recovery.key \ --key-file "$RECOVERY_KEY" \
$dev 1 \ $dev 1 \
|| warn "$dev: ignoring problem" || warn "$dev: ignoring problem"
done done
read -s -p "New disk decryption password for booting: " key_password read -s -p "New disk unlock password for booting: " key_password
echo echo
read -s -p "Repeat password: " key_password2 read -s -p "Repeat unlock code: " key_password2
echo echo
if [ "$key_password" != "$key_password2" ]; then if [ "$key_password" != "$key_password2" ]; then
@ -57,19 +53,25 @@ dd \
for dev in /dev/$VOLUME_GROUP/*; do for dev in /dev/$VOLUME_GROUP/*; do
echo "+++++ $dev: Adding key" echo "+++++ $dev: Adding key"
cryptsetup luksAddKey \ cryptsetup luksAddKey \
--key-file /tmp/recovery.key \ --key-file "$RECOVERY_KEY" \
--key-slot 1 \ --key-slot 1 \
$dev "$KEY_FILE" \ $dev "$KEY_FILE" \
|| die "$dev: Unable to add key" || die "$dev: Unable to add key"
done done
# Now that we have setup the new keys, measure the PCRs # Now that we have setup the new keys, measure the PCRs
# We don't care what ends up in PCR 6; we just want
# to get the /tmp/luksDump.txt file. We use PCR16
# since it should still be zero
/bin/qubes-measure-luks /dev/$VOLUME_GROUP/* \ /bin/qubes-measure-luks /dev/$VOLUME_GROUP/* \
|| die "Unable to measure the LUKS headers" || die "Unable to measure the LUKS headers"
luks_pcr=`tpm calcfuturepcr -ix 16 -if /tmp/luksDump.txt`
# Note that PCR 4 needs to be set with the "normal-boot" # Note that PCR 4 needs to be set with the "normal-boot"
# path value, which we do not have right now since we are # path value, which we do not have right now since we are
# in a recovery shell. # in a recovery shell.
# used to be -ix 4 f8fa3b6e32e7c6fe04c366e74636e505b28f3b0d \
# now just all zeros in a normal boot
# PCR 5 must be all zero since no kernel modules should have # PCR 5 must be all zero since no kernel modules should have
# been loaded during a normal boot, but might have been # been loaded during a normal boot, but might have been
# loaded in the recovery shell. # loaded in the recovery shell.
@ -77,43 +79,48 @@ done
# from the TPM as part of the sealing ("X"). # from the TPM as part of the sealing ("X").
tpm sealfile2 \ tpm sealfile2 \
-if "$KEY_FILE" \ -if "$KEY_FILE" \
-of /tmp/sealed \ -of "$TPM_SEALED" \
-pwdd "$key_password" \ -pwdd "$key_password" \
-hk 40000000 \ -hk 40000000 \
-ix 0 X \ -ix 0 X \
-ix 1 X \ -ix 1 X \
-ix 2 X \ -ix 2 X \
-ix 3 X \ -ix 3 X \
-ix 4 f8fa3b6e32e7c6fe04c366e74636e505b28f3b0d \ -ix 4 0000000000000000000000000000000000000000 \
-ix 5 0000000000000000000000000000000000000000 \ -ix 5 0000000000000000000000000000000000000000 \
-ix 6 X \ -ix 6 $luks_pcr \
|| die "Unable to seal secret" || die "Unable to seal secret"
rm -f "$KEY_FILE" rm -f "$KEY_FILE"
# try it without the owner password first
# to create an nvram space we need the TPM owner password if ! tpm nv_writevalue \
# and the TPM physical presence must be asserted.
#
# The permissions are 0 since there is nothing special
# about the sealed file
tpm physicalpresence -s \
|| warn "Warning: Unable to assert physical presence"
read -s -p "TPM Owner password: " tpm_password
echo
tpm nv_definespace \
-in $TPM_INDEX \ -in $TPM_INDEX \
-sz $TPM_SIZE \ -if "$TPM_SEALED" \
-pwdo "$tpm_password" \ ; then
-per 0 \ # to create an nvram space we need the TPM owner password
|| warn "Warning: Unable to define NVRAM space; trying anyway" # and the TPM physical presence must be asserted.
#
# The permissions are 0 since there is nothing special
# about the sealed file
tpm physicalpresence -s \
|| warn "Warning: Unable to assert physical presence"
read -s -p "TPM Owner password: " tpm_password
echo
tpm nv_definespace \
-in $TPM_INDEX \
-sz $TPM_SIZE \
-pwdo "$tpm_password" \
-per 0 \
|| warn "Warning: Unable to define NVRAM space; trying anyway"
tpm nv_writevalue \ tpm nv_writevalue \
-in $TPM_INDEX \ -in $TPM_INDEX \
-if /tmp/sealed \ -if "$TPM_SEALED" \
|| die "Unable to write sealed secret to NVRAM" || die "Unable to write sealed secret to NVRAM"
fi
rm /tmp/sealed rm "$TPM_SEALED" \